Assistance Needed: Certificate Validation Failure in H1_DNS_AB_Normal Test (Address-Bound)
Pranav Kulkarni
Hello ETT Team,
I am currently working on the H1_DNS_AB_Normal test case for the Direct address:
As shown in the attached screenshots, the DNS lookup step is passing successfully — the tool is able to discover the CERT record from my authoritative DNS server.
However, the test is failing at the “Validation of discovered certificate(s)” step.
-
My authoritative DNS server (CoreDNS on AWS EC2) returns the CERT record correctly.
-
DCDT confirms successful DNS discovery:
Success: true
DNS lookup was successful Binding Type: ADDRESS
Location Type: DNS
The next step fails:
Success: false
Binding Type: NONE
Location Type: (blank)
Discovered Valid Certificate: None
This indicates that the certificate was found, but it did not pass the validation rules required by the Direct Project / ETT validator.
🔍 What I need guidance onCould you please help clarify:
-
Which certificate validation rules are failing?
(e.g., CN mismatch, SAN format, KeyUsage, EKU (emailProtection), BasicConstraints, SKI/AKI, etc.) -
What exact certificate requirements must be met for the H1 DNS Address-Bound validation?
-
How can I verify my certificate structure locally to ensure it conforms to the Direct Project certificate profile before publishing it in DNS?
I have already ensured:
-
CERT record is correctly formatted
-
CN and SAN contain the correct Direct address
-
DNS zone and delegation are functioning properly
But since the validator reports “Binding Type: NONE” and “No valid certificates discovered,” I need help understanding which specific validation rule the certificate is failing.
Any guidance or examples of a fully compliant certificate profile would be very helpful.
Thank you for your assistance.
Regards,
Pranav Kulkarni
